Group crafts rating system for server security

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4238214-0.html?tag=st.ne.1002.thed.sf

By Robert Lemos
Special to CNET News.com
December 21, 2000, 4:50 p.m. PT

Are your servers as secure as Fort Knox or as open as a revolving
door?

The newly formed Center for Internet Security hopes to answer that
question by creating a suite of tests that would give computer owners
a rating--on a scale of 1 to 10--of how good their security is.

A level-10 server could protect an e-commerce company's virtual gold,
while a level-1 server would be an online vandal's playground.

"Our members are just saying that they would like to see global
benchmarks," said Alan Paller, director of research for the Systems
Administration Networking and Security (SANS) Institute and a founding
member of the 71-member center. "The banks want these types of
benchmarks. The government wants these types of benchmarks. The
center's work is a guide that people will use."

Such a rating system is necessary for the industry to gauge how secure
their virtual assets are, Paller said.

In the future, insurance companies could base the cost of so-called
hacking policies on the rating.

The government may require financial institutions to meet a minimum
rating, and companies that don't meet the minimum may find themselves
the target of a liability lawsuit, he said.

The center's members are working together to create a rating system
for Solaris, Linux and Windows 2000, Paller said. The guidelines could
be completed as early as March 2001.

But can such a global, all-in-one rating work?

"It's very difficult to assign a single number to represent how secure
a server is," said "Weld Pond," the research director for security
firm @Stake, who prefers to use his hacker handle.

For example, while Underwriter Laboratories has a single number for
safes--representing how many hours an expert safe cracker would need
to break in--that model doesn't work in computer security, he said.

However, giving people an idea of how many holes they have plugged is
a good idea, he said. "People generally have no idea about how to
check their computers for security problems. If this group can do this
in an easy way, that's a good thing.

"The only problem I see is it finds only well-known problems in the
most mainstream of software," he added. "Many times it's the somewhat
obscure application that opens a computer up to be compromised. Even a
server that rates a 9 out of 10 could be compromised in a short time
if an attacker knew the single flaw on the system."

The Center--founded Nov. 1--consists of a total of 71 companies,
academic institutions and government organizations, including the
Department of Defense, the National Institute of Standards and
Technology, Intel, Visa International, Chevron and AT&T.

Paller said the actual creators of operating systems are not
welcome--yet.

"Early members asked that the vendors not be involved," he said, for
fear they might "hijack the process."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".